Trend Micro found Void Dokkaebi, also tracked as Famous Chollima, turning fake recruiter interviews into a worm-like supply chain campaign against software developers. Victims are lured into cloning repositories that abuse VS Code folder-open tasks, and compromised machines are then used to inject obfuscated JavaScript into configuration and entry-point files that execute during normal Node.js build, linting, or bundling activity. The actor rewrites Git history with backdated force-pushes and preserved commit metadata to hide tampering, with more than 750 infected repositories, over 500 malicious VS Code task configurations, and 101 commit-tampering tool instances observed in March 2026. The campaign delivered a DEV#POPPER RAT variant and staged payloads through blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, making takedown harder. The activity matters because a single compromised developer account can seed organizational and open-source repositories, exposing contributors, forks, and downstream projects through trusted development workflows.